Does Istio support proxy protocol?
I set a gateway behind an haproxy with TCP forwarding and proxy protocol ("send-proxy" flag) but it doesn't work.
I know Envoy supports it but it seems that Istio doesn't.
If it doesn't support it, is there another way to retrieve the source IP?
Thanks for your help.
You may have to apply this:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: proxy-protocol
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: LISTENER
patch:
operation: MERGE
value:
listener_filters:
- name: envoy.listener.proxy_protocol
- name: envoy.listener.tls_inspector
As my istio ingress gateway is behind AWS ELB, I also had to enable proxy protocol on ELB:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
spec:
profile: default
components:
ingressGateways:
- name: istio-ingressgateway
namespace: istio-system
enabled: true
# Copy settings from istio-ingressgateway as needed.
values:
gateways:
istio-ingressgateway:
serviceAnnotations:
# Note that Helm values (spec.values.gateways.istio-ingressgateway/egressgateway)
# are shared by all ingress/egress gateways.
# If these must be customized per gateway,
# it is recommended to use a separate IstioOperator CR
# Enable Prox protocol
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
If you will miss envoy.listener.tls_inspector
you will get:
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxx
openssl: no peer certificate available
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.